Metamorphosis 4 - Intergrating internal audit with ... - Ernst & Young
Metamorphosis 4 - Intergrating internal audit with ... - Ernst & Young
Metamorphosis 4 - Intergrating internal audit with ... - Ernst & Young
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Part four<br />
<strong>Metamorphosis</strong><br />
Integrating <strong>internal</strong> <strong>audit</strong> <strong>with</strong> the<br />
disciplines of enterprise risk management
<strong>Metamorphosis</strong><br />
Integrating <strong>internal</strong> <strong>audit</strong> <strong>with</strong> the disciplines<br />
of enterprise risk management<br />
One of the most important steps in transforming <strong>internal</strong> <strong>audit</strong> is integrating it <strong>with</strong> the discipline of<br />
enterprise risk management (ERM). Until this occurs, <strong>internal</strong> <strong>audit</strong> will have no certainty that it is<br />
controlling for “the risks that matter” which extend well beyond financial and compliance risks.<br />
The first article in this series,<br />
<strong>Metamorphosis</strong>: Revitalising <strong>internal</strong><br />
<strong>audit</strong> to drive performance, introduced<br />
<strong>Ernst</strong> & <strong>Young</strong>’s <strong>internal</strong> <strong>audit</strong><br />
transformation model and established<br />
its value proposition. The second,<br />
<strong>Metamorphosis</strong>: Assessing the maturity<br />
of your <strong>internal</strong> <strong>audit</strong> function, looked<br />
at applying a “maturity model” to<br />
understand how to bridge the gap<br />
between current <strong>internal</strong> <strong>audit</strong> practice<br />
and the desired future level appropriate<br />
for your organisation. The third,<br />
<strong>Metamorphosis</strong>: Auditing behaviours to<br />
make control change sustainable, covered<br />
aligning the function of <strong>internal</strong> controls<br />
<strong>with</strong> the actual behaviours of the people<br />
across your organisation.<br />
This fourth article covers the next phase<br />
in the transformation journey: the critical<br />
step of integrating the disciplines of<br />
<strong>internal</strong> <strong>audit</strong> and ERM. Achieving it<br />
involves reconsidering the scope of<br />
<strong>internal</strong> <strong>audit</strong>’s responsibility and how<br />
to staff the function to ensure it has the<br />
right skills and resources to execute its<br />
new role.<br />
Gus Cummings, <strong>Ernst</strong> & <strong>Young</strong> Advisory<br />
Partner, is quick to point out<br />
that integration <strong>with</strong> risk management<br />
is at a disciplinary not a functional level.<br />
“We are not suggesting organisational<br />
integration. It’s vital that functions and<br />
responsibilities remain separate.<br />
However, unless you integrate the<br />
disciplines of risk and <strong>audit</strong>, you are<br />
unlikely to have a clear relationship<br />
between <strong>internal</strong> <strong>audit</strong> and your<br />
organisation’s risk profile — which<br />
is essential if you want <strong>internal</strong> <strong>audit</strong><br />
to focus on the right areas — ‘the risks<br />
that matter’,” says Cummings.<br />
“Today, many organisations have one set<br />
of risks identified in their ERM process and<br />
another in their <strong>internal</strong> <strong>audit</strong> plan. The<br />
process of integrating your organisation’s<br />
risk map into your assurance model<br />
enables you to focus on assurance and<br />
control activities that are risk-based,<br />
rather than being conducted simply for<br />
the sake of delivering assurance.”<br />
This need to integrate disciplines rather<br />
than functions can create a difficult<br />
balancing act.<br />
According to the Institute of Internal<br />
Auditors (IIA), “<strong>internal</strong> <strong>audit</strong>ing’s core<br />
role <strong>with</strong> regard to ERM is to provide<br />
objective assurance to the board on the<br />
effectiveness of an organisation’s ERM<br />
activities to help ensure key business<br />
risks are being managed appropriately<br />
and that the system of <strong>internal</strong> control<br />
is operating effectively.” 1<br />
In other words, even where <strong>internal</strong><br />
<strong>audit</strong>ors may be at a more advanced<br />
stage in the risk assessment evolution<br />
than the organisation as a whole, they<br />
are not, and cannot be, responsible for<br />
implementing or maintaining the<br />
risk management framework.<br />
It is vital that management maintains<br />
responsibility for risk management.<br />
As Phil Turner, Rio Tinto’s Global Practice<br />
Leader for Sustainable Development<br />
Assurance explains, “Internal assurance<br />
providers should provide advice and they<br />
should challenge or support<br />
management’s decisions on risk, but they<br />
should never make risk management<br />
decisions.”<br />
The IIA’s recommendations on <strong>internal</strong><br />
<strong>audit</strong> roles in this area, from the same<br />
source as the previous quote, are<br />
outlined in Figure 1.<br />
1 The Institute of Internal Auditors,<br />
“The Role of Internal Auditing in Enterprise-wide<br />
Risk Management” position statement,<br />
29 September 2004<br />
2 <strong>Metamorphosis</strong> Integrating <strong>internal</strong> <strong>audit</strong> <strong>with</strong> the disciplines of enterprise risk management
Core <strong>internal</strong> <strong>audit</strong> roles in regard to ERM<br />
Clarifying ERM responsibilities<br />
Reviewing the management of key risks<br />
Evaluating the reporting of key risks<br />
Evaluating risk management processes<br />
Legitimate <strong>internal</strong> <strong>audit</strong> roles <strong>with</strong> safeguards<br />
Coaching management in responding to risks<br />
Facilitating identification and evaluation of risks<br />
Giving assurance that risks are correctly evaluated<br />
Giving assurance on the risk management processes<br />
Co-ordinating ERM activities<br />
Figure 1: The IIA’s recommendations on ERM roles <strong>internal</strong> <strong>audit</strong> should and should not undertake<br />
Consolidated reporting on risks<br />
Roles <strong>internal</strong> <strong>audit</strong> should not undertake<br />
Board Responsible for overseeing management’s design and operation of ERM, as well as setting and signing<br />
off on the organisation’s risk appetite.<br />
Management Responsible for developing risk appetite, establishing the ERM framework, promoting the desired risk<br />
culture, establishing controls to manage risks <strong>with</strong>in the board’s appetite and enforcing compliance.<br />
Risk officer Responsible for establishing and maintaining an effective ERM framework, monitoring progress and<br />
assisting the board and managers in managing risk.<br />
Internal <strong>audit</strong>or Responsible for assisting management, the board and/or the <strong>audit</strong> committee in the above processes by<br />
monitoring the entire ERM framework, evaluating controls, examining compliance, reporting findings<br />
and recommending improvements.<br />
Maintaining and developing the ERM framework<br />
It is vital that management maintains<br />
responsibility for risk management<br />
Championing establishment of ERM<br />
Developing RM strategy for board approval<br />
Setting the risk appetite<br />
Imposing risk management processes<br />
Management assurance on risks<br />
Taking decisions on risk responses<br />
Implementing risk responses on management’s behalf<br />
Accountability for risk management<br />
<strong>Metamorphosis</strong> Integrating <strong>internal</strong> <strong>audit</strong> <strong>with</strong> the disciplines of enterprise risk management<br />
3
The immediate benefits of integrating<br />
the disciplines will depend on the<br />
progress <strong>internal</strong> <strong>audit</strong> has made in its<br />
own transformation. Where the <strong>internal</strong><br />
<strong>audit</strong> function already has superior risk<br />
skills, integration will allow it to quickly<br />
start supporting the implementation of<br />
ERM. Where the balance of experience<br />
swings the other way, integration is an<br />
opportunity for <strong>internal</strong> <strong>audit</strong> to gain<br />
the new skills and focus that will enable<br />
it to support ERM going forward,<br />
eventually delivering value beyond<br />
compliance assurance.<br />
Internal <strong>audit</strong> supporting<br />
risk management<br />
In cases where <strong>internal</strong> <strong>audit</strong> has broader<br />
risk management skills than the<br />
organisation as a whole, the expertise of<br />
<strong>internal</strong> <strong>audit</strong> in considering risks, as well<br />
as in understanding the connections<br />
between risks and governance, can be<br />
extremely useful to the various players<br />
involved in developing ERM.<br />
Specific areas where <strong>internal</strong> <strong>audit</strong> can<br />
support risk management include:<br />
• Offering executive management the<br />
tools and techniques used by <strong>internal</strong><br />
<strong>audit</strong> to analyse risks and controls.<br />
• Being a champion for introducing ERM<br />
into the organisation, leveraging<br />
<strong>internal</strong> <strong>audit</strong>’s expertise in risk<br />
monitoring and control, along <strong>with</strong> its<br />
overall knowledge of the people, the<br />
systems and the operation.<br />
• Providing advice, facilitating<br />
workshops, coaching the organisation<br />
on risk and control, and promoting the<br />
development of a common language,<br />
framework and understanding.<br />
• Supporting individual managers<br />
responsible for mitigating<br />
particular risks.<br />
To expand on this theme, <strong>internal</strong> <strong>audit</strong><br />
has a role to play in all six of the main<br />
disciplines of ERM – both in assessing<br />
how organisations perform each of these<br />
disciplines and, where appropriate, in<br />
playing a consulting role to support the<br />
development of a robust ERM framework.<br />
1 Assessing the ERM framework<br />
Many organisations have evolved<br />
complex risk management frameworks<br />
<strong>with</strong> numerous risk, control and<br />
compliance activities that are rarely<br />
coordinated. The result is duplication,<br />
inefficiency and the potential for<br />
key risks to fall through the cracks.<br />
Constant demands for what is<br />
essentially the same information,<br />
couched in slightly different ways<br />
or seen through different lenses,<br />
places an unnecessary and fatiguing<br />
burden on the business. In these<br />
circumstances, <strong>internal</strong> <strong>audit</strong> can<br />
play an important role in establishing<br />
whether risk and control activities<br />
are aligned and coordinated, as well<br />
as in making suggestions that will<br />
improve efficiency.<br />
2 Validating the true risk universe<br />
and identifying “the risks<br />
that matter”<br />
Although our thinking on the risk<br />
universe has expanded well beyond<br />
the traditional elements of financial<br />
and compliance risk, many companies<br />
have yet to understand the full<br />
spectrum of risk they need to<br />
properly assess. Internal <strong>audit</strong> can<br />
play an important role in ensuring the<br />
organisation is scanning the broader<br />
business environment to identify<br />
emerging risks. In addition, <strong>internal</strong><br />
<strong>audit</strong>’s independent risk assessments,<br />
which may include non-traditional<br />
risks, can feed into this part of the<br />
ERM development process. Internal<br />
<strong>audit</strong> can therefore independently<br />
validate management’s process of<br />
analysing risk <strong>with</strong>out performing<br />
significant additional work because<br />
the annual planning activities<br />
invariably involve a similar analysis.<br />
4 <strong>Metamorphosis</strong> Integrating <strong>internal</strong> <strong>audit</strong> <strong>with</strong> the disciplines of enterprise risk management
3 Mapping strategy to risks<br />
Every time management goes<br />
through business planning, <strong>internal</strong><br />
<strong>audit</strong> has a potential role to play.<br />
A large part of developing business<br />
strategy is identifying the risks to<br />
achieving objectives and allocating<br />
responsibility for managing those<br />
risks. Thus, every business strategy<br />
session results in a host of different<br />
owners responsible for mitigating and<br />
managing different risks. However,<br />
while businesses are usually good at<br />
identifying how risks will be managed<br />
and assigning ownership, the process<br />
often breaks down at this point.<br />
Internal <strong>audit</strong> can support the fragile<br />
link between intent and execution by<br />
establishing reporting lines and<br />
constantly assessing whether each<br />
owner is managing risk appropriately.<br />
4 Mapping risks to controls<br />
Having identified the applicable risks<br />
next is an identification of the key<br />
controls applied in managing those<br />
risks; those controls can range from<br />
pervasive, entity-level controls such<br />
as ethical policy and values down to<br />
specific, targeted transaction or<br />
process controls. This exercise<br />
should include identification of<br />
control ownership and can be<br />
extremely valuable identifying<br />
control gaps or overlap.<br />
5 Mapping controls to assurance<br />
provision (including management<br />
control self assessment)<br />
With a risk-based control map<br />
developed the business can<br />
develop an assurance coverage<br />
map identifying all parties providing<br />
assurance over control integrity.<br />
This should include management<br />
providing assurance through<br />
management control self assessment.<br />
6 Mapping assurance cover –<br />
<strong>audit</strong>ing “the risks that matter”<br />
When the organisation maps its<br />
“risks that matter” to its controls<br />
and assigns assurance accountabilities,<br />
it can identify areas of duplication or<br />
overlap – where a number of assurance<br />
providers are focusing on the same<br />
issues. It can also identify coverage<br />
gaps. These are often operational<br />
or strategic risks that traditional<br />
compliance functions don’t reach.<br />
For example, project management<br />
of a major greenfield development,<br />
workforce planning or change<br />
management.<br />
Often <strong>internal</strong> <strong>audit</strong> is the best qualified<br />
and best positioned assurance provider<br />
to fill these gaps. Whilst such activities<br />
are a long way from the traditional<br />
financial control function, they are also<br />
where <strong>internal</strong> <strong>audit</strong> can frequently add<br />
the greatest value.<br />
Many companies have yet to understand<br />
the full spectrum of risk they need to<br />
properly assess<br />
“The future of <strong>internal</strong> <strong>audit</strong> is in<br />
non-traditional, stratecig risk areas such<br />
as HR, IT and project management. It is<br />
in these areas that <strong>internal</strong> <strong>audit</strong> will truly<br />
influence the strength, resilience and<br />
efficiency of the organisation’s control<br />
environment,” says Cummings. “For<br />
example, our <strong>internal</strong> <strong>audit</strong> work for a<br />
major not-for-profit organisation focused<br />
on its key risk area of engaging<br />
effectively <strong>with</strong> volunteers.”<br />
Potential new areas of focus<br />
for <strong>internal</strong> <strong>audit</strong><br />
• Change management<br />
• Project management<br />
• Supply chain management<br />
• Workforce planning<br />
• Industrial relations<br />
• Information technology<br />
strategy effectiveness<br />
• Working capital management<br />
• Financial sustainability<br />
• Board performance reviews<br />
• Environment and climate change<br />
• Occupational health and safety<br />
• Resource management<br />
• Stakeholder management<br />
and engagement<br />
<strong>Metamorphosis</strong> Integrating <strong>internal</strong> <strong>audit</strong> <strong>with</strong> the disciplines of enterprise risk management<br />
5
Many companies have yet to understand<br />
the full spectrum of risk they need to<br />
properly assess<br />
Risk management improving<br />
<strong>internal</strong> <strong>audit</strong><br />
For organisations that already take<br />
a broad view of risk and balance risk<br />
mitigation <strong>with</strong> opportunities to improve<br />
performance, the process of integration<br />
will push <strong>internal</strong> <strong>audit</strong> into new areas,<br />
expanding its focus to a more holistic<br />
view of risk.<br />
As Rob Perry, <strong>Ernst</strong> & <strong>Young</strong> Oceania Risk<br />
Leader explains, “This will help <strong>internal</strong><br />
<strong>audit</strong> to take a risk-based approach,<br />
showing where it needs to focus in the<br />
business beyond financial compliance.”<br />
“I believe a holistic view gives <strong>internal</strong><br />
<strong>audit</strong> the opportunity to help the<br />
organisation to ‘think risk’. Good risk<br />
management requires management of<br />
culture and the way it connects to risk.<br />
This is a new way of thinking for most<br />
organisations. With its pervasive<br />
viewpoint and ‘access all areas’ pass<br />
to the organisation, the <strong>internal</strong> <strong>audit</strong><br />
function has the potential to act as a<br />
change agent,” says Perry.<br />
Skilling up <strong>internal</strong> <strong>audit</strong><br />
But for <strong>internal</strong> <strong>audit</strong> to step into the<br />
domain of culture change, and expand<br />
into more areas of the organisation, its<br />
current skill set will also need to expand.<br />
These challenges were explored in the<br />
third article in this series.<br />
“Don’t fall into the trap of building<br />
your <strong>audit</strong> plan around your <strong>internal</strong><br />
organisation. Instead, define your desired<br />
<strong>audit</strong> scope and assess whether the<br />
function has the skills and resources<br />
to match those requirements,”<br />
says Perry.<br />
“If the function currently lacks risk<br />
management skills, the starting point<br />
may be to temporarily suspend the<br />
function’s independence and allow it to<br />
work closely <strong>with</strong> the risk management<br />
function to facilitate skills transfer.”<br />
In its expanded role, <strong>internal</strong> <strong>audit</strong> will<br />
also require various subject matter<br />
experts to cover areas such as revenue<br />
assurance and contract management,<br />
mergers and acquisitions, project risk<br />
management, international market<br />
expansion, IT processes and projects,<br />
and people and change management.<br />
Internal <strong>audit</strong> functions will need to open<br />
their recruiting policies and start to hire<br />
staff outside their <strong>audit</strong> universe. Heads<br />
of <strong>internal</strong> <strong>audit</strong> will need to become both<br />
expert recruiters and people developers.<br />
To develop an <strong>audit</strong> team <strong>with</strong> the right<br />
range of skills, many companies turn to<br />
outsourcing or co-sourcing. One option<br />
is to adopt a hybrid approach: <strong>internal</strong><br />
<strong>audit</strong> teams combining core <strong>internal</strong><br />
<strong>audit</strong> practitioners <strong>with</strong> highly skilled<br />
specialists to perform <strong>audit</strong>s in areas<br />
that require judgement and specialist<br />
technical knowledge such as tax or large<br />
construction projects, for example.<br />
As Turner points out: “The benefit of<br />
multi-disciplinary <strong>internal</strong> <strong>audit</strong> teams is<br />
an increased focus on business<br />
improvements to achieve competitive<br />
advantage. A safety expert, for example,<br />
is able to see things from a completely<br />
different perspective, thereby identifying<br />
improvements that a financial <strong>audit</strong>or<br />
just wouldn’t see. We find these multidisciplinary<br />
teams to be essential when<br />
we conduct our annual end-to-end<br />
process reviews.”<br />
The Victorian Arts Centre is one<br />
organisation that outsources its <strong>internal</strong><br />
<strong>audit</strong> function and it finds the resulting<br />
flexibility to draw on deep, multidisciplinary<br />
skill sets to be an important<br />
benefit. Annabel Allen, Manager of<br />
Assurance & Compliance, says “As we<br />
have increasingly aligned our <strong>internal</strong><br />
<strong>audit</strong> plan <strong>with</strong> the outcomes of our ERM<br />
processes over the last few years, we<br />
have found our proportion of financiallybased<br />
<strong>audit</strong> projects has fallen, while our<br />
strategically-focused operational <strong>audit</strong><br />
projects have grown. In responding to this<br />
trend, the ability to recompose our teams<br />
and draw in deep expertise based on the<br />
specific requirements of each project has<br />
been extremely valuable to us.”<br />
Conclusion<br />
Integrating the disciplines of ERM and<br />
<strong>internal</strong> <strong>audit</strong> creates a mutuallyreinforcing<br />
relationship in which risk<br />
drives the <strong>internal</strong> <strong>audit</strong> agenda and the<br />
findings of <strong>internal</strong> <strong>audit</strong> feed back into<br />
the risk profile. It involves <strong>internal</strong> <strong>audit</strong><br />
expanding its capabilities and embarking<br />
on a journey of change to adopt an<br />
assurance and consulting role <strong>with</strong><br />
specialist technical knowledge and an<br />
enterprise-wide risk focus. This new role,<br />
as a de facto management consultant,<br />
will build its visibility and credibility.<br />
The function, which may well have been<br />
endured or feared by different parts of<br />
the organisation, should become a valued<br />
contributor, offering important skills to<br />
help improve processes and performance<br />
across the organisation.<br />
6 <strong>Metamorphosis</strong> Integrating <strong>internal</strong> <strong>audit</strong> <strong>with</strong> the disciplines of enterprise risk management
Contacts<br />
Gus Cummings<br />
Oceania leader of <strong>internal</strong> <strong>audit</strong><br />
transformation methodology<br />
Tel: +61 3 9655 2571<br />
gus.cummings@au.ey.com<br />
ACT<br />
Peter Bell<br />
Partner<br />
Tel: +61 2 6267 3967<br />
peter.bell@au.ey.com<br />
NSW<br />
Mike Purvis<br />
Partner<br />
Tel: +61 2 9248 4733<br />
mike.purvis@au.ey.com<br />
South Australia<br />
Mark Butcher<br />
Partner<br />
Tel: +61 8 8417 2000<br />
mark.butcher@au.ey.com<br />
Western Australia<br />
Iain Burnet<br />
Partner<br />
Tel: +61 8 9429 2486<br />
iain.burnet@au.ey.com<br />
New Zealand<br />
Paul Roberts<br />
Head of Advisory, New Zealand<br />
Tel: +64 9 308 1064<br />
paul.roberts@nz.ey.com<br />
Queensland<br />
Ian Rodin<br />
Partner<br />
Tel: +61 7 3011 3313<br />
ian.rodin@au.ey.com<br />
Victoria<br />
Rob Perry<br />
Oceania Risk Leader<br />
Tel: +61 3 9288 8639<br />
rob.perry@au.ey.com<br />
<strong>Metamorphosis</strong> Integrating <strong>internal</strong> <strong>audit</strong> <strong>with</strong> the disciplines of enterprise risk management<br />
7
<strong>Ernst</strong> & <strong>Young</strong><br />
Assurance | Tax | Transactions | Advisory<br />
About <strong>Ernst</strong> & <strong>Young</strong><br />
<strong>Ernst</strong> & <strong>Young</strong> is a global leader in assurance, tax, transaction and advisory services. Worldwide,<br />
our 144,000 people are united by our shared values and an unwavering commitment to quality.<br />
We make a difference by helping our people, our clients and our wider communities achieve<br />
their potential.<br />
For more information, please visit www.ey.com.<br />
<strong>Ernst</strong> & <strong>Young</strong> refers to the global organisation of member firms of <strong>Ernst</strong> & <strong>Young</strong> Global Limited,<br />
each of which is a separate legal entity. <strong>Ernst</strong> & <strong>Young</strong> Global Limited, a UK company limited by<br />
guarantee, does not provide services to clients.<br />
The <strong>Ernst</strong> & <strong>Young</strong> organisation is divided into five geographic areas and firms may be members<br />
of the following entities: <strong>Ernst</strong> & <strong>Young</strong> Americas LLC, <strong>Ernst</strong> & <strong>Young</strong> EMEIA Limited, <strong>Ernst</strong> & <strong>Young</strong><br />
Far East Area Limited and <strong>Ernst</strong> & <strong>Young</strong> Oceania Limited. These entities do not provide services<br />
to clients.<br />
© 2009 <strong>Ernst</strong> & <strong>Young</strong> Australia.<br />
SCORE Retrieval File No. AUNZ00000086<br />
This communication provides general information which is current as at the time of production.<br />
The information contained in this communication does not constitute advice and should not be relied<br />
on as such. Professional advice should be sought prior to any action being taken in reliance on any<br />
of the information. <strong>Ernst</strong> & <strong>Young</strong> disclaims all responsibility and liability (including, <strong>with</strong>out limitation,<br />
for any direct or indirect or consequential costs, loss or damage or loss of profits) arising from anything<br />
done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information.<br />
Any party that relies on the information does so at its own risk.<br />
Liability limited by a scheme approved under Professional Standards Legislation.<br />
Australia<br />
Adelaide<br />
Mark Butcher<br />
Tel: +61 8 8417 2000<br />
mark.butcher@au.ey.com<br />
<strong>Ernst</strong> & <strong>Young</strong> Building<br />
121 King William Street<br />
Adelaide SA 5000<br />
Brisbane<br />
Ian Rodin<br />
Tel: +61 7 3011 3313<br />
ian.rodin@au.ey.com<br />
<strong>Ernst</strong> & <strong>Young</strong><br />
1 Eagle Street<br />
Brisbane QLD 4000<br />
Canberra<br />
Peter Bell<br />
Tel: +61 2 6267 3967<br />
peter.bell@au.ey.com<br />
<strong>Ernst</strong> & <strong>Young</strong> House<br />
51 Allara Street<br />
Canberra ACT 2600<br />
Perth<br />
Iain Burnet<br />
Tel: +61 8 9429 2486<br />
iain.burnet@au.ey.com<br />
<strong>Ernst</strong> & <strong>Young</strong> Building<br />
11 Mounts Bay Road<br />
Perth WA 6000<br />
Melbourne<br />
Rob Perry<br />
Tel: +61 3 9288 8639<br />
rob.perry@au.ey.com<br />
<strong>Ernst</strong> & <strong>Young</strong> Building<br />
8 Exhibition Street<br />
Melbourne VIC 3000<br />
Sydney<br />
Mike Purvis<br />
Tel: +61 2 9248 4733<br />
mike.purvis@au.ey.com<br />
<strong>Ernst</strong> & <strong>Young</strong> Centre<br />
680 George Street<br />
Sydney NSW 2000<br />
New Zealand<br />
Auckland<br />
Paul Roberts<br />
Tel: +64 9 308 1064<br />
paul.roberts@nz.ey.com<br />
<strong>Ernst</strong> & <strong>Young</strong><br />
41 Shortland Street<br />
Auckland 1010<br />
Indonesia<br />
Jakarta<br />
Bangkit Kuncoro<br />
Tel: +62 21 5289 5565<br />
bangkit.kuncoro@id.ey.com<br />
<strong>Ernst</strong> & <strong>Young</strong><br />
Indonesia Stock Exchange<br />
Building Tower 1, 13th Floor Jl.<br />
Jend. Sudirman Kav. 52-53<br />
Jakarta 12190, Indonesia<br />
M0921108